Your Reading List & recommendations

Brute force attacks and how to beat them

| Oct 14th, 2016

Brute Force attacks are one of the most common way hackers gain access to networks. Here’s what you need to know to make sure you’re as secure as possible, says cyber security commentator Pete Roythorne.

Pete Roythorne, cyber security commentator

How secure is your password? Unfortunately, and despite what you might think, the answer is probably ‘not secure enough’. Don’t believe me? To find out just how quickly a hacker could crack yours have a look at How secure is my password.

Scary stuff!

The password is the cornerstone of IT security, but many of us still treat them glibly. Now with the rise of cybercrime and the increasing power of technology behind it, the common password doesn’t stand a chance. According to a recent survey by Lieberman Software: 77% of respondents felt passwords are failing as an IT security method; and 53% thought modern hacking tools could easily break passwords within their organisations.

Birth of brute force

Of course, people have been trying to guess passwords for probably as long as passwords have existed. Techniques have varied from raiding bins outside businesses to finding documentation containing login information, and conning staff into handing over passwords, through to trying to guess them by using obvious words.

The latter quickly became automated as hackers set up databases, ran them as a batch process, and then sat back until the crack was complete. As computational power has increased so has the technology behind password cracking and indeed the speed at which passwords can be hacked. Modern hackers use software that will methodically work through every conceivable permutation for a password. And in today’s world of botnets and cloud architectures, computational power is relatively cheap and easy to access.

For obvious reasons, this type of attack became known as a brute force attack. Brutal, forceful and unrelenting they are one of the most common techniques cybercriminals use to gain access to a network. According to a 2015 McAfee Security Report, they amount to approximately 25% of all attacks.

In most cases, the motive behind these attacks is to gain unfettered access to restricted data, applications or resources. WordPress accounts commonly fall victim to hackers as they’re able to gain control of the publishing platform and then use it for their own nefarious purposes.

How to beat brute force attacks

A successful brute force attack can also be a launch pad for further attacks. By gaining access to point A, subsequent exploits can be launched to points B, C, D and so on. A successful brute force attack could enable a hacker to install a rootkit, add a new bot to a botnet, create a command and control centre or simply steal money or bank details. Whatever they do, once they’re in, it’s game over. So what can you do?

Tune up your passwords – Start with the basics, and make sure all your passwords are as strong as possible. Using a password management system can encourage users to employ more complex and secure (and truly random) passwords. On top of that, ensuring passwords are changed at regular intervals is also crucial.

Set up login limits – Many systems only allow a certain number of failed login attempts. If the number of attempts is exceeded the system will either lock the user out or prevent any future login attempts for a set amount of time. Interestingly it was Apple’s failure to initially implement this type of lockout in its iCloud service that led to the successful hacks and mass distribution of embarrassing celebrity pictures in 2014.

Use encryption – Make sure your systems use powerful and up-to-date encryption algorithms; old ones with known weaknesses will do little to prevent bad guys getting in.

Unfortunately, brute force attacks are not going away so your business needs to be prepared to battle against them. Following the above steps will help you make things harder for the bad guys to get in, so they’ll turn their attention to other, less savvy, businesses.